CIO recently reported that a variant of spear phishing called whaling has emerged as a major cybersecurity threat. Whaling is a social-engineering scheme that uses the relationship between executives and employees to trick employees into taking an illicit action. An attacker masquerading as an executive bids, and the employee does his or her bidding. Notable companies such as Snapchat, Seagate, and others have suffered whaling attacks.


What can your organization do to mitigate the risk of a whaling attack? The answer to this question involves several steps. While spam filtering and employee education has a role to play in preventing attacks from fake domains, we also have to protect against a compromised executive account, because executives are a form of privileged users.

Broaden Your Definition of a Privileged User

IT security professionals typically define privileged users as admins with broad access to sensitive information. But executives are also privy to sensitive information. Plus, they wield an authority that other privileged users don’t have. Employees are unlikely to question this authority. Unchecked access and authority are a risky combination that attackers can use to their advantage. For example, an attacker posing as an executive might ask accounting personnel to email sensitive financial information—or to transfer funds into a non-corporate account.

Understand that Executives Circumvent IT Security Policies Too

Recognizing that executives are privileged users is only the first step. Next, you need to realize that executives are like most end users: They are focused on doing their jobs. If security controls and policies prevent users and executives from being productive, they’ll find a way around the controls and policies.

Again, the salient difference between executives and end users is this: Executives have broader, more privileged access. And they are less likely to tolerate the restrictions IT places on other privileged users.

Implement Appropriate User Monitoring and Multifactor Authentication

However, if executives understand what’s at stake, they are more likely to abide some security controls—especially if the controls are virtually invisible. For example, unobtrusive user monitoring can identify outsider abuse of insider privileges, thereby reducing the risk that hijackers can use executive privileges to deceive lower-level employees. Multifactor authentication that’s easy to use, such as thumbprint readers or YubiKeys, can also provide a convenient and effective security measure. Just remember: The less restrictive and more convenient the security solution, the less likely it is that executives will circumvent the solution’s policies and controls.

The threat of whaling is growing. It’s time to change our understanding of privileged users and mitigate the unique risks that executive privileges pose.

Travis Greene
May 19, 2016
2:11 pm